Commit 6215894e authored by Darrick J. Wong's avatar Darrick J. Wong

xfs: check that dir block entries don't off the end of the buffer

When we're checking the entries in a directory buffer, make sure that
the entry length doesn't push us off the end of the buffer.  Found via
xfs/388 writing ones to the length fields.
Signed-off-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: default avatarBrian Foster <bfoster@redhat.com>
parent cfaf2d03
...@@ -136,6 +136,8 @@ __xfs_dir3_data_check( ...@@ -136,6 +136,8 @@ __xfs_dir3_data_check(
*/ */
if (be16_to_cpu(dup->freetag) == XFS_DIR2_DATA_FREE_TAG) { if (be16_to_cpu(dup->freetag) == XFS_DIR2_DATA_FREE_TAG) {
XFS_WANT_CORRUPTED_RETURN(mp, lastfree == 0); XFS_WANT_CORRUPTED_RETURN(mp, lastfree == 0);
XFS_WANT_CORRUPTED_RETURN(mp, endp >=
p + be16_to_cpu(dup->length));
XFS_WANT_CORRUPTED_RETURN(mp, XFS_WANT_CORRUPTED_RETURN(mp,
be16_to_cpu(*xfs_dir2_data_unused_tag_p(dup)) == be16_to_cpu(*xfs_dir2_data_unused_tag_p(dup)) ==
(char *)dup - (char *)hdr); (char *)dup - (char *)hdr);
...@@ -164,6 +166,8 @@ __xfs_dir3_data_check( ...@@ -164,6 +166,8 @@ __xfs_dir3_data_check(
XFS_WANT_CORRUPTED_RETURN(mp, dep->namelen != 0); XFS_WANT_CORRUPTED_RETURN(mp, dep->namelen != 0);
XFS_WANT_CORRUPTED_RETURN(mp, XFS_WANT_CORRUPTED_RETURN(mp,
!xfs_dir_ino_validate(mp, be64_to_cpu(dep->inumber))); !xfs_dir_ino_validate(mp, be64_to_cpu(dep->inumber)));
XFS_WANT_CORRUPTED_RETURN(mp, endp >=
p + ops->data_entsize(dep->namelen));
XFS_WANT_CORRUPTED_RETURN(mp, XFS_WANT_CORRUPTED_RETURN(mp,
be16_to_cpu(*ops->data_entry_tag_p(dep)) == be16_to_cpu(*ops->data_entry_tag_p(dep)) ==
(char *)dep - (char *)hdr); (char *)dep - (char *)hdr);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment